sensepost / objection

📱 objection - runtime mobile exploration
GNU General Public License v3.0
7.61k stars 859 forks source link

iOS Patching - Failed to find temp directory #341

Closed san3ncrypt3d closed 4 years ago

san3ncrypt3d commented 4 years ago

I am getting this issue, please advise ?

Using manually specified version: 12.7.26
Patcher will be using Gadget version: 12.7.26
No provision file specified, searching for one...
Found provision file /Users/sanjaybabu/Library/Developer/Xcode/DerivedData/cycura-ditzmakaqurjklcarxaejvbrhupe/Build/Products/Debug-iphoneos/cycura.app/embedded.mobileprovision expiring in 7 days, 3:54:12.652223
Found a valid provisioning profile
Traceback (most recent call last):
  File "/usr/local/bin/objection", line 8, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/objection/console/cli.py", line 309, in patchipa
    patch_ios_ipa(**locals())
  File "/usr/local/lib/python3.7/site-packages/objection/commands/mobile_packages.py", line 66, in patch_ios_ipa
    patcher.extract_ipa(ipa_source=source)
  File "/usr/local/lib/python3.7/site-packages/objection/utils/patchers/ios.py", line 275, in extract_ipa
    self.payload_directory = os.listdir(os.path.join(self.temp_directory, 'Payload'))
FileNotFoundError: [Errno 2] No such file or directory: '/var/folders/v0/dwtp4znn1h11_l6yfl5nwq440000gn/T/Payload'
Cleaning up temp files...
Failed to cleanup with error: remove: path should be string, bytes or os.PathLike, not NoneType
leonjza commented 4 years ago

The issue seems to be around this line where the patcher can't find your temp directory to check that the extraction worked. I am not sure why that failed, maybe checkout the temp dir in the output? It was /var/folders/v0/dwtp4znn1h11_l6yfl5nwq440000gn in this case.

leonjza commented 4 years ago

Please also fill in the information asked in the issue template to help debug. This includes version information, commands to reproduce etc.

san3ncrypt3d commented 4 years ago

I restarted the whole process again:

Created an empty app on my phone for the provision file (mobileprovision).

objection: 1.8.4

The command i used was : objection patchipa -s s.ipa -c 8xxxF --gadget-version 12.8.13

This is the content of the dir. Screen Shot 2020-03-26 at 10 19 45 AM

Error:

Found a valid provisioning profile Traceback (most recent call last): File "/usr/local/bin/objection", line 8, in sys.exit(cli()) File "/usr/local/lib/python3.7/site-packages/click/core.py", line 764, in call return self.main(args, kwargs) File "/usr/local/lib/python3.7/site-packages/click/core.py", line 717, in main rv = self.invoke(ctx) File "/usr/local/lib/python3.7/site-packages/click/core.py", line 1137, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "/usr/local/lib/python3.7/site-packages/click/core.py", line 956, in invoke return ctx.invoke(self.callback, ctx.params) File "/usr/local/lib/python3.7/site-packages/click/core.py", line 555, in invoke return callback(args, kwargs) File "/usr/local/lib/python3.7/site-packages/objection/console/cli.py", line 309, in patchipa patch_ios_ipa(locals()) File "/usr/local/lib/python3.7/site-packages/objection/commands/mobile_packages.py", line 66, in patch_ios_ipa patcher.extract_ipa(ipa_source=source) File "/usr/local/lib/python3.7/site-packages/objection/utils/patchers/ios.py", line 275, in extract_ipa self.payload_directory = os.listdir(os.path.join(self.temp_directory, 'Payload')) FileNotFoundError: [Errno 2] No such file or directory: '/var/folders/9v/sbn95ydd57g0_j0wzyvkfqkc0000gn/T/Payload' Cleaning up temp files... Failed to cleanup with error: remove: path should be string, bytes or os.PathLike, not NoneType

leonjza commented 4 years ago

What was inside the T folder?

san3ncrypt3d commented 4 years ago
A3BE67EC-5DB6-4AED-B3D4-A7D2A54621E6
AppTranslocation
Apple Development: Sanjay Babu (Sanjay Babu)~~~JkDa5l
Apple Development: Sanjay Babu (Sanjay Babu)~~~O1CwZU
Apple Development: Sanjay Babu (Sanjay Babu)~~~i2L4VG
Apple Development: Sanjay Babu (Sanjay Babu)~~~kIaBpF
AudioComponentRegistrar
CFNetworkDownload_dDoqsB.tmp
IMAGE 2020-03-26 09:25:03.jpg
InterfaceBuilderImages
MSau_1555
MSau_33243
TelemetryUploadFilecom.microsoft.autoupdate.fba.txt
TemporaryItems
com.apple.AMPArtworkAgent
com.apple.AMPDeviceDiscoveryAgent
com.apple.AddressBook
com.apple.AddressBook.ContactsAccountsService
com.apple.AirPlayUIAgent
com.apple.AppSSOAgent
com.apple.BKAgentService
com.apple.CalendarAgent
com.apple.CalendarNotification.CalNCService
com.apple.Chess
com.apple.CloudDocs.MobileDocumentsFileProvider
com.apple.CloudPhotosConfiguration
com.apple.CoreSimulator.SimDevice.2651531C-DE11-408F-AAE3-4F6D1794004A.Standalone.33BC5559-9C10-4957-96E3-2F7DC575CF0B
com.apple.CoreSimulator.SimDevice.2651531C-DE11-408F-AAE3-4F6D1794004A.Standalone.DEB06EF5-0965-4511-B9A6-4285B4736E87
com.apple.CryptoTokenKit.pivtoken
com.apple.CryptoTokenKit.setoken
com.apple.DataDetectorsLocalSources
com.apple.Dictionary
com.apple.DownloadFolderImporter
com.apple.FaceTime
com.apple.FaceTime.FaceTimeNotificationCenterService
com.apple.FaceTime.IntentsExtension
com.apple.Home
com.apple.LoginUserService
com.apple.MailCacheDelete
com.apple.MailShareExtension
com.apple.Maps
com.apple.MediaLibraryService
com.apple.Music.MusicCacheExtension
com.apple.Music.MusicStorageExtension
com.apple.Notes
com.apple.Notes.QuickLookExtension
com.apple.Notes.SharingExtension
com.apple.Notes.SpotlightIndexExtension
com.apple.OSDUIHelper
com.apple.PhotoBooth
com.apple.Photos
com.apple.Photos.Migration
com.apple.Photos.Migration.Reader
com.apple.Photos.PhotosSiriExtension
com.apple.Photos.StorageManagementExtension
com.apple.Photos.librarychooserservice
com.apple.PressAndHold
com.apple.Preview
com.apple.QuickTimePlayerX
com.apple.STMExtension.GarageBand
com.apple.STMExtension.Mail
com.apple.Safari
com.apple.Safari.BrowserDataImportingService
com.apple.Safari.CacheDeleteExtension
com.apple.Safari.DiagnosticExtension
com.apple.Safari.SafariQuickLookPreview
com.apple.ScreenTimeAgent
com.apple.Siri
com.apple.SiriNCService
com.apple.SocialPushAgent
com.apple.Stickies
com.apple.StickiesMigration
com.apple.SystemProfiler.MessagesHelper
com.apple.TV.TVCacheExtension
com.apple.TV.TVStorageExtension
com.apple.TelephonyUtilities
com.apple.TextEdit
com.apple.UsageTrackingAgent
com.apple.VoiceMemos
com.apple.WeatherKitService
com.apple.amp.mediasharingd
com.apple.ap.adprivacyd
com.apple.appstore
com.apple.appstoreagent
com.apple.bird
com.apple.calculator
com.apple.cloudd
com.apple.cloudkit.upload-request.cache
com.apple.contacts.donation-agent
com.apple.corerecents.recentsd
com.apple.corespeechd
com.apple.dt.IDECacheDeleteAppExtension
com.apple.dt.Xcode.InstallCheckCache_CoreSim_19E266_11E146
com.apple.dt.Xcode.InstallCheckCache_MobileDevice_19E266_11E146
com.apple.dt.Xcode.InstallCheckCache_com.apple.pkg.CoreTypes.1350A14_19E266_11E146
com.apple.dt.Xcode.InstallCheckCache_com.apple.pkg.MobileDeviceDevelopment_19E266_11E146
com.apple.fileproviderd
com.apple.findmy.FindMyNotificationsServiceExtension
com.apple.garageband10
com.apple.geod
com.apple.grapher
com.apple.iBooksX
com.apple.iBooksX.CacheDelete
com.apple.iBooksX.DiskSpaceEfficiency
com.apple.iBooksX.SharingExtension
com.apple.iCal
com.apple.iCal.CalendarNC
com.apple.iChat
com.apple.iWork.ExternalResourceAccessor
com.apple.iWork.ExternalResourceValidator
com.apple.iWork.Keynote
com.apple.iWork.Numbers
com.apple.iWork.Pages
com.apple.iWork.TCMovieExtractor
com.apple.identityservicesd
com.apple.imagent
com.apple.imdpersistence.IMDPersistenceAgent
com.apple.iwork.ArchiveUpgrader
com.apple.languageassetd
com.apple.mail
com.apple.mail.MailQuickLookExtension
com.apple.mail.SpotlightIndexExtension
com.apple.mapspushd
com.apple.mediaanalysisd
com.apple.messages.AssistantExtension
com.apple.messages.ReplyExtension
com.apple.messages.ShareExtension
com.apple.messages.StorageManagementExtension
com.apple.mobileslideshow.photo-picker
com.apple.news
com.apple.notificationcenterui.WeatherSummary
com.apple.nsurlsessiond
com.apple.parsecd
com.apple.passd
com.apple.photoanalysisd
com.apple.photolibraryd
com.apple.podcasts
com.apple.podcasts.MacPodcastsStorageExtension
com.apple.podcasts.MacQuicklookExtension
com.apple.podcasts.SpotlightIndexExtension
com.apple.preferencepane.security.AdvertisingExtension
com.apple.preferencepane.security.PrivacyAnalytics
com.apple.quicklook.QuickLookUIService
com.apple.quicklook.ui.helper
com.apple.remindd
com.apple.reminders
com.apple.reminders.macOSIntentsExtension
com.apple.reminders.macOSTodayExtension
com.apple.reminders.quicklookextension
com.apple.reminders.sharingextension
com.apple.replayd
com.apple.routined
com.apple.sharingd
com.apple.siri.media-indexer
com.apple.speech.speechsynthesisd
com.apple.stocks
com.apple.studentd
com.apple.tccd
com.apple.touristd
com.apple.trustd
com.apple.useractivityd
com.apple.wifivelocity
com.brother.pdfreaderprofree.mac
com.docker.helper
com.microsoft.Excel
com.microsoft.Microsoft-Mashup-Container
com.microsoft.OneDrive.FinderSync
com.microsoft.OneDriveLauncher
com.microsoft.Outlook
com.microsoft.SkyDriveLauncher
com.microsoft.Word
com.microsoft.errorreporting
com.microsoft.onenote.mac
com.microsoft.onenote.mac.shareextension
com.microsoft.openxml.excel.app
com.microsoft.outlook.profilemanager
com.rockysandstudio.Decompressor
com.rockysandstudio.Open-Any-File
com.wearezeta.zclient.mac
homed
ibtoold-9911
ibtoold-9913
npm-3043-c90c80d1
qipc_sharedmemory_ApplicationsPrivateInternetAccessappContentsMacOSPrivateInternetAccess82522857b34c584d63ec893fd715c871d4daeb2f
qipc_systemsem_ApplicationsPrivateInternetAccessappContentsMacOSPrivateInternetAccess82522857b34c584d63ec893fd715c871d4daeb2f
studentd
xcrun_db
leonjza commented 4 years ago

I am not sure why you don't have the Payload folder. Can you manually unzip the IPA and check whats inside? Are you sure you have a valid app?

san3ncrypt3d commented 4 years ago

I re-extracted the IPA file, now i get a different error:

Using manually specified version: 12.8.13
Patcher will be using Gadget version: 12.8.13
No provision file specified, searching for one...
Found provision file /Users/sanjaybabu/Library/Developer/Xcode/DerivedData/cyc-civzwkgvhfqbbpahpmrhqzunlxkz/Build/Products/Debug-iphoneos/cyc.app/embedded.mobileprovision expiring in 7 days, 2:28:58.997002
Found a valid provisioning profile
Working with app: XT.app
Bundle identifier is: com.tXiphone.tX
Injecting the load library to /var/folders/9v/sbn95ydd57g0_j0wzyvkfqkc0000gn/T/Payload/XT.app/XT might have failed.

/bin/sh: T.app/T: No such file or directory
/bin/sh: T: command not found
/var/folders/9v/sbn95ydd57g0_j0wzyvkfqkc0000gn/T/Payload/T: No such file or directory

Codesigning 1 .dylib's with signature 8DB67ADEF4CF78F
Code signing: FridaGadget.dylib
Creating new archive with patched contents...
Codesigning patched IPA...
/bin/sh: t-frida-codesigned.ipa: command not found
/bin/sh: t-frida.ipa: command not found
Usage:

  applesign [--options ...] [target.ipa | Payload/Target.app]

  -a, --all                     Resign all binaries, even it unrelated to the app
  -b, --bundleid [BUNDLEID]     Change the bundleid when repackaging
  -c, --clone-entitlements      Clone the entitlements from the provisioning to the bin
  -f, --force-family            Force UIDeviceFamily in Info.plist to be iPhone
  -h, --help                    Show verbose help message
  -H, --allow-http              Add NSAppTransportSecurity.NSAllowsArbitraryLoads in plist
  -i, --identity [1C4D1A..]     Specify hash-id of the identity to use
  -L, --identities              List local codesign identities
  -m, --mobileprovision [FILE]  Specify the mobileprovision file to use
  -o, --output [APP.IPA]        Path to the output IPA filename
  -O, --osversion 9.0           Force specific OSVersion if any in Info.plist
  -w, --without-watchapp        Remove the WatchApp from the IPA before resigning
  -W, --without-xctests         Remove the XCTests from the resigned IPA

Example:

  $ applesign -w -c -m embedded.mobileprovision target.ipa

Copying final ipa from /var/folders/9v/sbn95ydd57g0_j0wzyvkfqkc0000gn/T/t&t-frida-codesigned.ipa to current directory...
Traceback (most recent call last):
  File "/usr/local/bin/objection", line 8, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/objection/console/cli.py", line 309, in patchipa
    patch_ios_ipa(**locals())
  File "/usr/local/lib/python3.7/site-packages/objection/commands/mobile_packages.py", line 85, in patch_ios_ipa
    os.path.join(os.path.abspath('.'), os.path.basename(patcher.get_patched_ipa_path())))
  File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/shutil.py", line 120, in copyfile
    with open(src, 'rb') as fsrc:
FileNotFoundError: [Errno 2] No such file or directory: '/var/folders/9v/sbn95ydd57g0_j0wzyvkfqkc0000gn/T/t&t-frida-codesigned.ipa'
Cleaning up temp files...
Failed to cleanup with error: [Errno 2] No such file or directory: '/var/folders/9v/sbn95ydd57g0_j0wzyvkfqkc0000gn/T/t&t-frida-codesigned.ipa'
leonjza commented 4 years ago

What was inside?

Using manually specified version: 12.8.13 Patcher will be using Gadget version: 12.8.13 No provision file specified, searching for one... Found provision file /Users/sanjaybabu/Library/Developer/Xcode/DerivedData/cyc-civzwkgvhfqbbpahpmrhqzunlxkz/Build/Products/Debug-iphoneos/cyc.app/embedded.mobileprovision

How did you invoke the patch command here? Please, be verbose.

san3ncrypt3d commented 4 years ago

objection patchipa -s t.ipa -c 878F --gadget-version 12.8.13

The same command i was using before

Inside the dir Screen Shot 2020-03-26 at 11 41 17 AM

san3ncrypt3d commented 4 years ago

The app is a valid one too, im not sure why its not creating a payload file in /T

Screen Shot 2020-03-26 at 11 51 59 AM
leonjza commented 4 years ago

Unfortunately I cannot reproduce this. Make sure you have a valid IPA (try other ones) and hopefully that will help you debug what is going on here.

nandy6666 commented 2 years ago

@san3ncrypt3d Even I got the same error. I found out, why this issue occurred.

Even I have extracted the IPA from the iPhone, but instead of giving the folder name as Payload (which contains the .app file and some .plist files), I gave it differently.

Once I changed the folder name to "Payload" and compress to a zip file and change the file extension to IPA it worked.!!